Zeus 2.1 is harder to detect and subject to automatic analysis by antivirus products

October 21, 2010

4 Min Read


NEW YORK, Oct. 20, 2010 Trusteer, the leading provider of secure browsing services, today reported that it has captured and analyzed a new version (2.1) of the Zeus financial malware and found that it has added sophisticated new mechanisms to commit online fraud and remain the Trojan of choice for criminals. Zeus has not only improved its business logic but also its ability to avoid detection and automatic analysis by antivirus vendors. Zeus is under the spotlight of security vendors, banks, and law enforcement, which forces its developers to continually improve it to avoid losing business to competing malware like Bugat, Clampi, and SpyEye. Just like commercial application developers, the creators of Zeus run an R&D programme to ensure it can avoid detection and side-step the growing number of IT security mechanisms designed to detect, block and eliminate it.

New capabilities in Zeus 2.1 include:

. URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus's configuration to define targets. For example, Zeus can now target all URLs that start with "https" and then zero in on those that contain specific digits and keywords. Earlier Zeus versions had a primitive regular expression implementation which provided very little flexibility in specifying target URLs.

. The injection mechanism (Zeus's main "work horse") now uses sophisticated regular expressions based on PCRE as well, which helps avoid detection. It can target individual web pages with elaborate injections, while not injecting into other pages. This surgical injection method creates more convincing pages and can target more banks using a single attack.

. Zeus now has a fine-grained "grabbing" mechanism, again based on PCRE, which can extract very specific areas of the page (e.g. the account balance) and report them to the C&C host. The grab mechanism provides an efficient way of collecting user data (such as account balance), as opposed to the cumbersome and wasteful way (supported by earlier Zeus variants) of having to copy the full page.

. As other researchers have already pointed out Zeus 2.1 completely changed the way it communicated with its Command &Control (C&C) servers with a daily list of hundreds of C&C hostnames, through which it cycles trying to find a live one which is a considerable improvement over the previous scheme.

. Zeus has added a 1024-bit RSA public key, which will probably be used for one-way encryption of data and authenticating the C&C server to Zeus clients.

"Since the Trusteer Secure Browsing software is installed on the PCs of millions of bank customers, automatically classifying, blocking, analyzing, and removing financial malware such as Zeus, our researchers can see enhanced attack vectors in real time," said Mickey Boodaei, CEO of Trusteer. "The improvements are similar to those seen in commercial software, but instead of enhancements being released on a monthly or annual basis, the timescales are now being compressed to just days and weeks, largely because of the immense fraudulent revenues involved. While commercial software needs to undergo extensive quality assurance processes before being released, Zeus has the luxury of pushing rapid updates without worrying too much about software quality."

Previous malware has risen in popularity, then been tweaked and then faded away, the enhancements in Zeus - which is currently into version 2.1 - show no signs of abating, largely because of the modular coding structure of Zeus. The modular approach, for example means that exploit hacks can be used to enhance the ability of Zeus to stage a real-time bank access attack, and so greatly extend its useful lifetime to the cybercriminals. As with any commercial application, software product maintenance and support are two of the more important reasons why users buy and use products, and Zeus has proven over the last three years that it does both very well for the cybercriminals.

The Zeus developers keep releasing new features - such as a highly granular browser injection facility - that allow them to stay one step ahead of the IT security community, as well as fixing bugs and other issues in previous versions. This level of commitment attracts the fraudsters' business and maintains interest in the Trojan amongst security vendors, banks and law enforcement officials. And this in turn re-enforces the security circle, with hacker coders constantly tweaking and improving the malware as time goes on.

"The big question is how long can Zeus stay in pole position in the malware fraud charts? Our researchers suggest that, given its ability to be morphed and enhanced, it's going to be some while yet before other malware gets a look in at the top spot. And this means that hackers have a vested interest to keep Zeus ahead of the game as far as its ability to defraud, forcing them to improve and increase their effort all the time to avoid losing the cybercriminal's business," Boodaei said.

IT security teams trying to defend against Zeus should:

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights